Constangy Cyber Advisor 

In amending the Act, the state legislature took steps similar to other states’ data breach notification statutes and expanded the definition of “personal information.”  The expanded definition that will take effect May 3 includes medical and health information, and a user name or email address in combination with a password or security questions and answers that would permit access to an online account. These are in addition to the categories of personal information that all states regulate – for example, name in combination with a Social Security Number, driver license number or state identification card number, or financial account or debit/credit card number in combination with an access code, password, or security code that would allow access to the account. 

The Act currently requires notification when a “discovery” has been made that there was a security breach. As amended, the Act will require notification when a “determination” of a breach has been made. The new standard will be more entity-friendly than the prior standard because it takes into account an entity’s need to investigate whether a breach has occurred before it is obligated to provide notice. A “discovery” occurs when the entity has “[t]he knowledge of or  reasonable suspicion” that a breach has occurred. A “determination” occurs when the entity has “[a] verification or reasonable certainty” that a breach has occurred.

A “breach of the security of the system” is defined as “unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals . . ..”

The Act currently applies to state agencies, but the amendments will expand the Act to cover “State Agency Contractors” as well. The amended Act includes specific timelines and requirements for notification by state agencies, state agency contractors, public schools, counties, and municipalities when a determination of breach has been made. For example, state agencies and their contractors will have seven business days to notify individuals after the breach determination, and they must also notify the Office of the Attorney General by the same deadline.  Counties, public schools, and municipalities will have seven days to notify individuals, and three days to notify the district attorney’s office in the County in which the breach occurred. Other governmental entities are not required to notify the AG’s office.

The amendments include provisions that require state agencies and state agency contractors to protect the personal information of the Commonwealth that they maintain, store, or manage. These protective measures include encryption, “or other appropriate” security measures to protect the information from unauthorized access or acquisition, either when being transmitted or when “at rest.”  The amendments also require the development of policies and procedures to protect such data. With regard to storing personal information on behalf of the Commonwealth, the amended Act requires state agencies and their contractors to “develop a policy to govern reasonably proper storage of the personal information” with the goal of reducing the risk of future breaches of the security of the systems. The amendments even dictate the considerations that state agencies and their contractors must take into account when developing those policies and procedures, including best practices considered by the federal government and the Commonwealth.

Other changes in the amended Act include the following:

• Entities will be allowed to provide email notice to the affected individuals when the breach involves a user name or email address in combination with a password, or a security question and answer that would permit access to an online account. Email notice will be permitted under these circumstances if the email directs the individual to promptly change his or her password and security question or answer, or to take other appropriate steps to protect the online account with the entity or other online accounts involving the same personal information.
• Entities will be deemed to comply with the Pennsylvania law if they are in compliance with the privacy rule of the federal Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act.
• State agencies and their contractors will be deemed to comply with the Pennsylvania law if they are in compliance with the notification requirements established by their primary state or functional federal regulators.

In sum, the amendments will bring Pennsylvania’s data breach notification scheme into line with other states that are seeking to hold entities responsible for the protection of consumer personal information and personal health information. It will hold state agencies (including public schools) and their contractors to stricter notification requirements and a higher degree of responsibility when maintaining, storing, and managing personal information. On a more positive note, the amendments will allow entities to investigate and make a “determination” that a breach has occurred before their notification obligation takes effect, they will be able to provide certain notifications by email, and they may be exempt if they are in compliance with other specified regulatory obligations.